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WHAT IS CLAIMED IS: 

1. A method for conducting a consistent, documented and yet 
repeatable compliance risk assessment and mitigation process, using a network-based 
system including a server system coupled to a centralized database and at least one 
client system, said method comprising the steps of: 

conducting a compliance program assessment; 

conducting a prioritization of compliance risks; 

identifying, for each compliance risk area, potential compliance 
failures and potential causes and effects of such compliance failures; and 

ensuring that risk monitoring and control mechanisms are in place to 
mitigate compliance risks. 

2. A method according to Claim 1 wherein said step of conducting 
a compliance program assessment further comprises the steps of: 

developing a binary questionnaire; 

assembling a cross functional team; 

defining what constitutes a "yes" answer for each question in the 
binary questionnaire; 

identifying and interviewing process owners for the questionnaire 

answers; 

compiling interview results; and 

summarizing findings and reviewing final results with compliance and 
functional leaders. 

3. A method according to Claim 1 wherein said step of conducting 
a prioritization of compliance risks further comprises the steps of: 

identifying the compliance risks of at least one of business' processes, 
products, environment, and location; and 
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prioritizing the business' highest risks. 

4. A method according to Claim 1 wherein said step of identifying 
further comprises the steps of: 

analyzing identified high compliance risk areas to determine potential 
compliance failures and root causes; and 

prioritizing actions that need to be taken; and 

developing policy scorecards to be used as a monitoring and reporting 

tool. 

5. A method according to Claim 1 wherein said step of identifying 
further comprises the steps of: 

reassembling the cross functional team that was initially used to 
conduct the compliance program assessment; 

mapping high risk process steps; 

beginning a construction of a Failure Mode in Effect Analysis 

(FEMA); 

assigning severity, occurrence and detection Factors; 
calculating Risk Prioritization Numbers (RPN); 
defining recommended actions to reduce RPNs; and 
defining scorecard content and format. 

6. A method according to Claim 1 wherein said step of ensuring 
that risk monitoring and control mechanisms are in place, further comprises the steps 
of: 

establishing appropriate controls to provide guidance to the business; 

and 

monitoring that the appropriate controls to mitigate compliance risks. 
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7. A method according to Claim 1 wherein said step of ensuring 
that risk monitoring and control mechanisms are in place, further comprises the steps 
of: 

developing action items; 

ensuring that the developed action items are completed in a timely 

manner; and 

establishing and monitoring the controls to mitigate compliance risks. 

8. A method according to Claim 2 wherein said step of identifying 
and interviewing process owners further comprises the steps of: 

identifying and interviewing for compliance using a knowledge base; 

and 

identifying and interviewing for compliance using a question owner's 

matrix. 

9. A method according to Claim 2 wherein said step of compiling 
interview results further comprises the step of compiling interview results using a 
spreadsheet configured for automatically converting the results from qualitative to 
quantitative and further configured to tabulate and graph the results. 

10. A method according to Claim 2 wherein said step of 
summarizing findings further comprises the step of summarizing the results of the 
assessment of at least one compliance program using at least one of a program 
assessment summary and a policy assessment summary. 

11. A method according to Claim 3 wherein said step of 
prioritizing the business' highest risk further comprises: 

mapping a high level business risk model; 

compiling a list of compliance requirements; 

prioritizing the list of compliance requirements; 

beginning construction of a quality function deployment (QFD); 
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entering a severity rating for non-compliance with requirements; 
assessing and evaluating compliance policies; 

identifying immediate risks and completing constructing of a QFD; and 
prioritizing compliance risk areas. 

12. A method according to Claim 1 1 wherein said step of mapping 
the high level business risk model further comprises the steps of: 

identifying core processes and products of a business; 

associating business risk with the core processes and products of a 

business; and 

associating business risk with compliance requirements. 

13. A method according to Claim 11 wherein said step of 
compiling a list of compliance requirements further comprises the step of compiling a 
list of compliance requirements including at least one of a company declared policy 
and/or practice, legal and regulatory requirements of a business, contractual 
requirements, compliance risks and internal requirements. 

14. A method according to Claim 11 wherein said step of 
prioritizing the list of compliance requirements further comprises prioritizing the 
severity level of non-compliance using a severity matrix. 

15. A method according to Claim 11 wherein said step of 
beginning construction of the quality function deployment (QFD) further comprises 
the steps of: 

beginning construction of the QFD using information generated in 
mapping the high level business risk model with a compliance requirements list 
developed in making a severity matrix; and 

quantifying the results using a risk QFD matrix. 
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16. A method according to Claim 1 1 wherein said step of assessing 
and valuating compliance policies further comprises the steps of: 

assessing business routines and controls to ensure compliance with 
each policy; and 

determining a quality function deployment (QFD) score. 

17. A method according to Claim 16 wherein said step of 
determining a quality function deployment (QFD) score further comprises the step of 
determining a QFD score as 

process strength rating x severity rating. 

18. A method according to Claim 16 wherein said step of 
determining a quality function deployment (QFD) score further comprises 
automatically entering the score into a risk QFD. 

19. A method according to Claim 11 wherein said step of 
prioritizing risk areas further comprises summarizing findings from the risk quality 
function deployment (QFD) using a risk prioritization matrix. 

20. A method according to Claim 1 1 further comprising the step of 
identifying the top three to five compliance requirements having the highest risk. 

21. A method according to Claim 5 wherein said step of mapping 
the high-risk process steps comprises the steps of: 

creating a process map; and 

creating a process map within a failure mode and effect analysis 

matrix. 

22. A method according to Claim 5 wherein said step of beginning 
the construction of a failure mode and effect analysis matrix further comprises the 
steps of determining potential failure modes for each step in a process, brainstorming 
potential effects of the failure identifying potential causes of the failures and 
documenting current controls. 
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23. A method according to Claim 5 wherein said step of assigning 
severity, occurrence and detection factors further comprises automatically entering the 
assigned factors into the failure mode and effect analysis matrix. 

24. A method according to Claim 5 wherein said step of 
determining risk prioritization numbers further comprises determining the risk 
prioritization numbers as 

severity rating x occurrence rating x detection rating. 

25. A method according to Claim 5 wherein said step of defining 
recommended actions to reduce the risk prioritization numbers further includes the 
step of automatically entering at least one of the recommended actions, an owner of 
the recommended action and expected date of completion of the recommended action 
into the failure mode and effect analysis matrix. 

26. A method according to Claim 5 wherein said step of defining 
recommended actions to reduce the risk prioritization number further comprises the 
steps of automatically reassigning ratings and redetermining the risk prioritization 
numbers. 

27. A method according to Claim 5 further comprising the step of 
monitoring progress in reducing the risk prioritization numbers. 

28. A method according to Claim 27 wherein the step of 
monitoring progress in reducing the risk prioritization numbers comprises monitoring 
progress in reducing the risk prioritization numbers using policy scorecards. 

29. A method according to Claim 1 further comprising the steps of 
compiling an actions items list and creating at least one policy dashboard. 

30. A method according to Claim 1 further comprising the step of 
monitoring metrics relating to training. 

31. A system for identifying and quantifying compliance 

comprising: 

at least one computer; 
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a server configured to read input information relating to identifying and 
quantifying compliance, assess at least one compliance program, prioritize risk, 
identify issues relating to the risk and mitigate and control to resolve the issues; 

a network connecting said computer to said server; and 

a user interface allowing a user to input information relating to 
identifying and quantifying compliance. 

32. A system according to Claim 3 1 wherein said server configured 
to assess at least one compliance program is further configured to assemble a cross 
function team, identify and interview for compliance, compile interview results and 
summarize the results of the assessment of at least one compliance program. 

33. A system according to Claim 32 wherein said server configured 
to assemble a cross-functional team is configured to assemble a cross-functional team 
using a knowledge base within said server. 

34. A system according to Claim 32 wherein said server configured 
to assemble a cross-functional team using a knowledge base is further configured to 
create a questionnaire that includes a plurality of binary questions relating to 
compliance and define what constitutes an affirmative answer to the questions. 

35. A system according to Claim 32 wherein said server configured 
to identify and interview for compliance is configured to identify and interview for 
compliance using a knowledge base within said server. 

36. A system according to Claim 35 wherein said server configured 
to identify and interview for compliance is further configured to identify and 
interview for compliance using a question owner's matrix. 

37. A system according to Claim 32 wherein said server configured 
to compile interview results using a spreadsheet is configured to compile interview 
results using a spreadsheet configured for automatically converting results from 
qualitative to quantitative and to tabulate and graph results. 

38. A system according to Claim 32 wherein said server configured 
to summarize the results of the assessment is configured to summarize the results of 
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the assessment using at least one of a program assessment summary and a policy 
assessment summary. 

39. A system according to Claim 31 wherein said server configured 
to prioritize the risk is further configured to map a high level business risk model, 
compile a list of compliance requirements, prioritize the list of compliance 
requirements, construct a quality function deployment (QFD) matrix, assign a severity 
rating for non-compliance with requirements, assess and valuate compliance policies, 
identify at least one immediate risk and prioritize compliance risks areas. 

40. A system according to Claim 39 wherein said server configured 
to map the high level business risk model is further configured to identify at least one 
core process and product of a business, associate business risk with at least one core 
process and product of a business and associate business risk with compliance 
requirements. 

41 . A system according to Claim 39 wherein said server configured 
to compile a list of compliance requirements is configured to compile a list of 
compliance requirements including at least one of a company declared policy and/or 
practice, legal and regulatory requirements of a business, contractual requirements, 
compliance risks and internal requirements. 

42. A system according to Claim 39 wherein said server configured 
to prioritize the list of company requirements is configured to prioritize the severity 
level of each occurrence of non-compliance in accordance with a severity matrix. 

43. A system according to Claim 39 wherein said server configured 
to construct the quality function deployment (QFD) matrix is further configured to 
construct the QFD matrix using information generated in mapping the high level 
business risk model with the compliance requirements list developed in creating a 
severity matrix. 

44. A system according to Claim 39 wherein said server configured 
to construct the quality function deployment (QFD) matrix is configured to quantify 
results using a risk QFD matrix. 

45. A system according to Claim 39 wherein said server configured 
to assess and evaluate compliance policies is configured to assess business routines 
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and controls to ensure compliance with each policy and determine a quality function 
deployment (QFD) score. 

46. A system according to Claim 45 wherein said server configured 
to determine a quality function deployment (QFD) score is configured determine a 
QFD score as 

process strength rating x severity rating. 

47. A system according to Claim 45 wherein said server configured 
to determine a quality function deployment (QFD) score is further configured to 
automatically enter the QFD score into a risk QFD matrix. 

48. A system according to Claim 39 wherein said server configured 
to prioritize compliance risk areas is further configured to summarize findings from 
the risk quality function deployment (QFD) matrix in accordance with a risk 
prioritization matrix. 

49. A system according to Claim 39 wherein said server is further 
configured to identify the top three to five compliance requirements having the 
highest risk. 

50. A system according to Claim 3 1 wherein said server configured 
to identify issues relating to risk is further configured to assemble a cross-functional 
team, map the high risk process steps, construct a failure mode and effect analysis 
matrix, assign severity, occurrence and detection factors, determine risk prioritization 
numbers and define recommended actions to reduce the risk prioritization numbers. 

51. A system according to Claim 50 wherein said server configured 
to map the high-risk process steps is further configured to create a process map. 

52. A system according to Claim 50 wherein said server configured 
to create a process map is configured to create a process map in accordance with a 
failure mode and effect analysis matrix. 

53. A system according to Claim 50 wherein said server configured 
to construct a failure mode and effect analysis matrix is further configured to 
determine potential failure modes for each step in a process, brainstorm potential 
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effects of the failures to identify potential causes of the failures and documents current 
controls. 

54. A system according to Claim 50 wherein said server configured 
to determine risk prioritization number is configured to determine risk prioritization 
numbers as 

severity rating x occurrence rating x detection rating. 

55. A system according to Claim 50 wherein said server configured 
to assign a severity rating, occurrence and detection factors is further configured to 
enter the assigned factors into the failure mode and effect analysis matrix. 

56. A system according to Claim 50 wherein said server configured 
to define recommended actions is further configured to automatically enter at least 
one of the recommended actions, an owner of the recommended action, and expected 
date of completion of the recommended action into the failure mode and effect 
analysis matrix. 

57. A system according to Claim 50 wherein said server configured 
to define recommended actions to reduce the risk of prioritization numbers is further 
configured to reassign ratings and redetermine the risk prioritization numbers. 

58. A system according to Claim 50 wherein said server is further 
configured to monitor progress in reducing the risk prioritization numbers using 
policy scorecards. 

59. A system according to Claim 50 wherein said server configured 
to mitigate is further configured to compile an actions items list and create at least one 
policy dashboard. 

60. A system according to Claim 31 wherein said server is 
configured to allow a user to submit information relating to the identification and 
quantification of compliance via the Internet. 

61. A system according to Claim 31 wherein said server is 
configured to allow a user to submit information relating to the identification and 
quantification of compliance via an Intranet. 
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62. A system according to Claim 31 wherein said network is one of 
a wide area network and a local area network. 

63 . A computer programmed to: 

prompt a user to identify potential risks and failure modes and root 
causes associated with the risks within a compliance program; 

prioritize the risks; and 

prompt the user with at least one mitigation plan to deal with at least 
one of the identified risks, failure modes, and root causes. 

64. A computer according to Claim 63 further programmed to 
prompt a user to identify process owners within the compliance program. 

65. A computer according to Claim 63 wherein to identify the risks 
and failure modes and root causes, said computer displays a computer generated 
screen comprising a questionnaire relating to compliance. 

66. A computer according to Claim 65 wherein the questionnaire 
comprises a question owners matrix. 

67. A computer according to Claim 66 wherein said question 
owners matrix comprises a listing of compliance assessment areas. 

68. A computer according to Claim 63 further programmed to 
calculate a percentage of compliance. 

69. A computer according to Claim 65, said computer further 
programmed to tabulate and graph questionnaire results. 

70. A computer according to Claim 63 wherein to prompt a user 
with a mitigation plan, said computer displays a computer generated screen 
comprising at least one of a completed questionnaire, a summary of current status, 
improvement opportunities, action plans, potential best practices, a program summary 
and a policy assessment summary. 

71. A computer according to Claim 63 wherein to prioritize the 
risks said computer is programmed to: 
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assess compliance risk; and 

relate risks to processes, products and environments. 

72. A computer according to Claim 63 wherein to prioritize the 
risks said computer is programmed to prioritize a list of compliance requirements 
based upon a severity of non-compliance. 

73. A computer according to Claim 72 further programmed to 
organize the list of compliance requirements using a severity matrix format. 

74. A computer according to Claim 72 further programmed to 
generate a risk quality function deployment matrix, using compliance requirements 
and severity ratings for non-compliance of each compliance requirement. 

75. A computer according to Claim 72 further programmed to 
calculate risk prioritization numbers using at least one of severity ratings, a likelihood 
of occurrence factor and a detection ability factor. 

76. A computer program embodied on a computer readable 
medium for managing compliance risk assessment to enable businesses to develop 
broader and deeper coverage of compliance risks, using a network based system 
including a server system coupled to a centralized database and at least one client 
system, said computer program comprising a code segment that: 

develops a questionnaire based on list of compliance requirements and 
stores the questionnaire into a centralized database; 

records and processes qualitative responses against each of the 
questions identified in the questionnaire; 

converts the qualitative responses to quantitative results based on pre- 
determined criteria and develops compliance risk assessment output to enable 
businesses to reduce risks and improve profits. 

77. The computer program as recited in Claim 76 further 
comprising a code segment that compiles list of compliance requirements and 
prioritizes list of compliance requirements based on relative severity of non- 
compliance. 
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78. The computer program as recited in Claim 77 further 
comprising a code segment that compiles list of compliance requirements based on at 
least one of Regulatory Requirements, Contractual Requirements, Internal Policy 
Requirements and Spirit/ Letter Requirements. 

79. The computer program as recited in Claim 77 further 
comprising a code segment that: 

stores severity rating for non-compliance requirements; 

accesses strength of business routines and controls to ensure 
compliance with each policy; 

computes a QFD score; and 

prioritizes compliance risk areas according to risk criteria and process 
control strengths. . 

80. The computer program as recited in Claim 79 further 
comprising a code segment that links business's core process to key compliance risks. 

81. The computer program as recited in Claim 76 further 
comprising a code segment that summarizes findings in an easily readable graphical 
and table formats. 

82. The computer program as recited in Claim 79 further 
comprising a code segment that: 

reports progress since last review; 

identifies focus areas for next review and defines specific 
recommended steps that business managers can implement to reduce risks. 

83. The computer program as recited in Claim 76 further 
comprising a code segment that generates management reports for at least one of 
business groups, departments, regions, and countries. 

84. The computer program as recited in Claim 76 further 
comprising a code segment that identifies opportunities for each businesses. 
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85. The computer program as recited in Claim 76 wherein the 
network is a wide area network operable using a protocol including at least one of 
TCP/IP and IPX. 

86. The computer program as recited in Claim 76 wherein the data 
is received from the user via a graphical user interface. 

87. The computer program as recited in Claim 76 further 
comprising a code segment that develops questionnaires based on pre-stored 
assumptions in the database. 

88. The computer program as recited in Claim 76 wherein the client 
system and the server system are connected via a network and wherein the network is 
one of a wide area network, a local area network, an intranet and the Internet. 

89. The computer program as recited in Claim 76, and further 
comprising a code segment that monitors the security of the system by restricting 
access to unauthorized individuals. 

90. A database comprising: 

data corresponding to identified potential risks; 
data corresponding to prioritization of the risks; and 
data corresponding to a mitigation and control plan. 

91. A database according to Claim 90 further comprising data 
corresponding to a cross-functional team. 

92. A database according to Claim 90 further comprising data 
corresponding to a questionnaire regarding compliance. 

93. A database according to Claim 92 further comprising data 
corresponding to interview results in a questionnaire spreadsheet. 

94. A database according to Claim 90 further comprising data 
corresponding to at least one of a current status summary, improvement opportunities, 
action plans, potential best practices, a program summary and a policy summary. 
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95. A database according to Claim 90 further comprising data 
corresponding to a compliance assessment. 

96. A database according to Claim 90 further comprising data 
corresponding to a quality function deployment assessment score, the assessment 
score calculated as process strength rating x severity rating. 

97. A database according to Claim 90 further comprising data 
corresponding to a failure mode and effects analysis matrix. 

98. A database according to Claim 90 further comprising data 
corresponding to a risk prioritization matrix, risk prioritization calculated as severity 
rating x occurrence rating x detection rating. 

99. A method for compliance assessment comprising the steps of: 

entering, into an electronic interface, identified compliance risks and 
failure modes and root causes associated with the compliance risks; 

entering, into the electronic interface, compliance requirements; and 

requesting, from the electronic interface, a mitigation and control plan. 

100. A method according to Claim 99 further comprising the step of 
entering into the electronic interface, names of a cross-functional team. 

101. A method according to Claim 100 further comprising the steps 

of: 

requesting cross functional team members to complete a compliance 
questionnaire; and 

requesting, from the electronic interface, a summary of questionnaire 

results. 

102. A method according to Claim 101 wherein said step of 
requesting a summary of questionnaire results further comprises the step of 
requesting, from the electronic interface, graphed and tabulated results. 
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103. A method according to Claim 99 further comprising the step of 
requesting, from the electronic interface, prioritization of occurrences of non- 
compliance in a severity matrix. 

104. A method according to Claim 99 further comprising the step of 
requesting, from the electronic interface, an assessment of business routines and 
controls to determine a quality function deployment (QFD) score. 

105. A method according to Claim 104 wherein the QFD score is 
calculated as process strength rating x severity rating. 

106. A method according to Claim 99 further comprising the step of 
requesting, from the electronic interface, a failure mode and effects analysis on a 
number of compliance requirements risks identified in a risk prioritization matrix. 

107. A method according to Claim 106 wherein the number of 
compliance requirements risks identified in the risk prioritization matrix is no less 
than three (3) and no more than five (5). 

108. A method according to Claim 106 further comprising the steps 

of: 

requesting, from the electronic interface, a risk prioritization number; 

and 

generating a prioritization of actions for implementation and allocation 
of resources to reduce the risk prioritization number. 

109. A method according to Claim 108 wherein the risk 
prioritization number is calculated as severity rating * occurrence rating x detection 
rating. 

110. A method according to Claim 108 further comprising the step 
of monitoring risk prioritization numbers using at least one policy scorecard. 

111. A system configured for compliance assessment comprising: 
at least one computer; 
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a server configured to provide a questionnaire which includes a 
plurality of binary questions relating to a compliance program and a definition of what 
constitutes an affirmative answer to the questions to identified process owners, 
compile answers received from the process owners, and summarize the questions and 
answers as an assessment of the compliance program; 

a network connecting said computer to said server; and 

a user interface allowing process owners and members of a cross 
functional team to enter information relating to a compliance assessment. 

112. A system according to Claim 111 wherein said server further 
configured provide a question owner's matrix to the process owners. 

113. A system according to Claim 111 wherein said server further 

configured to: 

automatically convert a compliance assessment from qualitative to 
quantitative results; and 

tabulate and graph the assessment results. 

114. A system according to Claim 113 wherein said server further 
configured to tabulate and graph the assessment results using at least one of a program 
assessment summary and a policy assessment summary. 

115. A method for assessing a compliance program, said method 
comprising the steps of: 

assembling a cross-functional team for determining what constitutes 

compliance; 

creating a questionnaire including a plurality of binary questions 
relating to compliance and defining what constitutes an affirmative answer to the 
questions; 

identifying and interviewing process owners for compliance with the 
compliance program; 

compiling interview results; and 
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summarizing the results as an assessment of the compliance program. 

116. A method according to Claim 1 1 5 wherein said step of creating 
a questionnaire comprises the step of generating a question owner's matrix. 

117. A method according to Claim 115 wherein said step of 
compiling interview results comprises the steps of: 

converting the results from qualitative to quantitative; and 

at least one of tabulating and graphing the results. 

118. A method according to Claim 115 wherein said step of 
summarizing the results as an assessment of the compliance program comprises the 
step of using at least one of a program assessment summary and a policy assessment. 
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